Fix build after "executor: remove unused var flag_sandbox_privs".
Some variables/functions can't be static as they are unused on some OSes,
which produces unused warnings.
I guess the condition was always meant to be "!ok || try > 10".
So we always ignored non-executor failures, and failed on executor ones.
I think now it's better to just retry always. If the error is something
persistent we will fail after 10 tries anyway.
Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixesgoogle/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
We used to use gcc for test OS, but this is linux-specific.
Other OSes may use c++ or clang as main compiler, so use whatever
is the default for the host OS.
Update #712
For vmm we need a pre-created image.
So if one is provided in the userspace dir,
copy it to output. This should be enough
to get vmm working.
Update #712
We currently have this list in multiple places (somewhat diverged).
Specify this "overcommit" property in VM implementations.
In particular, we also want to allow overcommit for "vmm" type.
Update #712
After generating syscall description for fidl files using fidlgen, prune
all unused structs using the exact same mechanism used by the compiler's
check for unused structs. This allows the FIDL compiler to support
modular compilation; it does not need to have global knowledge of
whether each struct is used or not.
Allow a special case of cross-reporting duping:
rom last but one reporting to the last one (which is stable, final destination)
provided that these two reportings have the same access level and type.
The rest of the combinations can lead to surprising states and
information hiding, so we still don't allow them.
Fixes#569
Recently Debian image was updated to be 'stretch' from 'wheezy'. The
ssh command got missed.
Update the ssh command to use 'stretch' instead of 'wheezy'.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
During rcu stalls and cpu lockups kernel loops in some part of code,
usually across several functions. When the stall is detected, traceback
points to a random stack within the looping code. We generally take
the top function in the stack (with few exceptions) as the bug identity.
As the result stalls with the same root would produce multiple reports
in different functions, which is bad.
Instead we identify a representative function deeper in the stack.
For most syscalls it can be the syscall entry function (e.g. SyS_timer_create).
However, for highly discriminated functions syscalls like ioctl/read/write/connect
we take the previous function (e.g. for connect the one that points to exact
protocol, or for ioctl the one that is related to the device).
Fixes#710
Currently we choose block device to use (nbd/loop) based on SYZ_VM_TYPE.
Strictly saying these things are orthogonal.
losetup is broken on Ubuntu. qemu-nbd is broken on Debian.
Try to auto-detect what will work based on uname.
